IMPORTANT:

Make sure to complete this hands-on lab on a desktop/laptop only.

There are only 5 attempts permitted per lab.

As a reminder – it is common to not get every question correct on your first try, and even to need to redo a task; this is part of the learning process.

Once a lab is started, the timer cannot be paused. After 1 hour and 30 minutes, the lab will end and you’ll need to start again.

For more information review the Lab technical tips reading.

Activity overview

Identifying vulnerabilities and implementing remediation techniques is crucial for helping ensure the security and stability of various systems and applications. Many applications and systems handle sensitive information, such as personally identifiable information, financial records, or intellectual property. Identifying vulnerabilities helps protect this sensitive data from unauthorized access and potential breaches. Addressing vulnerabilities early in the development process is generally more cost-effective than dealing with security breaches later. The cost of remediating a vulnerability is often much higher than the cost of preventing it in the first place.

As a security analyst, regularly scanning for vulnerabilities can help identify and address weaknesses before malicious attacks, thus mitigating potential threats proactively. It provides insight into an application’s attack surface, helping enable you to understand potential avenues of exploitation and prioritize critical areas for improvement.

In this lab, you'll not only learn how to set up and run a vulnerable application but scan it for vulnerabilities.

Scenario

Cymbal Bank has developed a new banking application for its corporate clients that is set to be hosted and deployed on the new cloud infrastructure. The Chief Information Security Officer (CISO), Javier, wants to prioritize the security of this application before it is launched and customer-facing. Your team lead, Chloe, has tasked you with identifying and mitigating any application vulnerabilities for this new application. You'll use the Web Security Scanner in Google Cloud to scan the application for vulnerabilities pertaining to a top OWASP® web application vulnerability known as Cross-Site Scripting (XSS).

Here’s how you'll do this task: First, you’ll create a static IP address and launch a virtual machine. Then, you’ll deploy the vulnerable application. Next, you’ll set up and run the application. Then, you’ll access and scan the application. Finally, you’ll fix the vulnerabilities and re-scan the application.

Setup

Before you click Start Lab

Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources will be made available to you.

This practical lab lets you do the activities yourself in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials that you use to sign in and access Google Cloud for the duration of the lab.

To complete this lab, you need:

• Access to a standard internet browser (Chrome browser recommended).

Note: Use an Incognito or private browser window to run this lab. This prevents any conflicts between your personal account and the Student account, which may cause extra charges incurred to your personal account.

• Time to complete the lab---remember, once you start, you cannot pause a lab.

Note: If you already have your own personal Google Cloud account or project, do not use it for this lab to avoid extra charges to your account.

How to start your lab and sign in to the Google Cloud console

1. Click the Start Lab button. On the left is the Lab Details panel with the following:

   • Time remaining
   • The Open Google Cloud console button
   • The temporary credentials that you must use for this lab
   • Other information, if needed, to step through this lab
   Note: If you need to pay for the lab, a pop-up opens for you to select your payment method.

2. Click Open Google Cloud console (or right-click and select Open Link in Incognito Window) if you are running the Chrome browser. The Sign in page opens in a new browser tab.

   Tip: You can arrange the tabs in separate, side-by-side windows to easily switch between them.

   Note: If the Choose an account dialog displays, click Use Another Account.

3. If necessary, copy the Google Cloud username below and paste it into the Sign in dialog. Click Next.

{{{user_0.username | "Google Cloud username"}}}

You can also find the Google Cloud username in the Lab Details panel.

4. Copy the Google Cloud password below and paste it into the Welcome dialog. Click Next.

{{{user_0.password | "Google Cloud password"}}}

You can also find the Google Cloud password in the Lab Details panel.

Important: You must use the credentials the lab provides you. Do not use your Google Cloud account credentials. Note: Using your own Google Cloud account for this lab may incur extra charges.

5. Click through the subsequent pages:
   • Accept the terms and conditions
   • Do not add recovery options or two-factor authentication (because this is a temporary account)
   • Do not sign up for free trials

After a few moments, the Console opens in this tab.

Note: You can view the menu with a list of Google Cloud Products and Services by clicking the Navigation menu at the top-left.

Task 1. Launch a virtual machine

In this task, you’ll create a static IP address and launch the virtual machine to run the vulnerable application.

1. On the Google Cloud console title bar, click the Activate Cloud Shell () icon. If prompted, click Continue.
2. Copy the following command into the Cloud Shell terminal:

gcloud compute addresses create xss-test-ip-address --region={{{project_0.default_region | "REGION"}}}

This command creates a static IP address named xss-test-ip-address in the region. This static IP will be used for scanning the vulnerable web application.

3. Press ENTER.

If prompted, click Authorize.

4. Copy the following command into the Cloud Shell terminal:

gcloud compute addresses describe xss-test-ip-address \ --region={{{project_0.default_region | "REGION"}}} --format="value(address)"

This command returns the static IP address you generated.

5. Press ENTER.
6. Copy the IP address from the output and save it in a notepad. You’ll need to use this in a later task.
7. Copy the following command into the Cloud Shell terminal:

gcloud compute instances create xss-test-vm-instance --address=xss-test-ip-address --no-service-account \ --no-scopes --machine-type=e2-micro --zone={{{project_0.default_zone | "ZONE"}}} \ --metadata=startup-script='apt-get update; apt-get install -y python3-flask'

This command creates a VM instance to run the vulnerable application.

8. Press ENTER.

Note: The startup script will install python-flask, a Web Application Framework, which is used for running a simple Python application. This application demonstrates cross-site scripting (XSS) vulnerability, which is a common web application security vulnerability.

Click Check my progress to verify that you have completed this task correctly.

Launch a virtual machine

Task 2. Set up and run the vulnerable application

In this task, you’ll download and extract the web application files for the vulnerable application, and then deploy the application in the SSH-in-browser.

First, you’ll create a firewall rule that will allow Web Security Scanner to access the vulnerable application.

1. Copy the following command into the Cloud Shell terminal:

gcloud compute firewall-rules create enable-wss-scan \ --direction=INGRESS --priority=1000 \ --network=default --action=ALLOW \ --rules=tcp:8080 --source-ranges=0.0.0.0/0

This command creates a firewall rule that allows access to the web application from any source IP address. This allows the Web Security Scanner to access the vulnerable application and perform a scan.

2. Press ENTER.

Next, use an SSH connection to connect to the VM instance.

3. In the Google Cloud console, click the Navigation Menu ().
4. Select Compute Engine > VM instances.
5. On the VM instances page, in the Connect column, click on the SSH button next to your test instance.

This will open an SSH connection to your VM instance in a new browser window.

6. A pop-up may appear asking you to allow SSH in-browser to connect to VMs. Click Authorize.

Now, extract the web application files.

7. Copy the following command into the SSH-in-browser page (not in Cloud Shell):

gsutil cp gs://cloud-training/GCPSEC-ScannerAppEngine/flask_code.tar . && tar xvf flask_code.tar

This command downloads and extracts the vulnerable web application files.

8. Press Enter.

9. Finally, copy the following command into the SSH-in-browser page:

python3 app.py

This command starts the application.

10. Press ENTER.

A message should indicate that the application is up and running.

Note: Since this is a web application that was installed for use in development, there may be vulnerabilities associated with the configuration file. It is important to test any application prior use on a public facing network. Note: Do not close the SSH-in-browser page when performing the next task, as the application must continue to run.

Click Check my progress to verify that you have completed this task correctly.

Set up and run the vulnerable application

Task 3. Access the vulnerable application

In this task, you’ll test your application for a vulnerability known as cross-site scripting (XSS). XSS vulnerabilities can be exploited by malicious scripts, such as HTML code, in content that is then served to web browsers.

1. While the application is running, open a new browser window.
2. Copy the URL below into the browser tab, and replace <YOUR_EXTERNAL_IP> with the static IP address of the VM you saved in a notepad in Task 1:

http://<YOUR_EXTERNAL_IP>:8080

A Cymbal Bank corporate banking portal with a web form should appear.

3. Copy the following HTML code including the script tags into the web form:

<script>alert('This is an XSS Injection to demonstrate one of OWASP vulnerabilities')</script>

This code injects an OWASP® vulnerability.

4. Click POST.

The injected code displayed a message back to the browser. This action by itself is not malicious, however attackers can introduce malicious code into an exploitable application to either steal data from it or implant malware onto the user's device.

The alert window opens with the following message: “This is an XSS Injection to demonstrate one of OWASP vulnerabilities”.

Task 4. Scan the application

In this task, you’ll scan the application for vulnerabilities using the Web Security Scanner.

First, enable the Web Security Scanner API.

1. In the Google Cloud console, click the Navigation menu ().
2. Select APIs & Services > Enabled APIs and services. The APIs & Services page displays.
3. Click + Enable APIs and services.
4. In the search field, type Web Security Scanner, and press ENTER.
5. Select Web Security Scanner API.
6. Click Enable.

Now, scan the application for vulnerabilities.

7. In the Google Cloud console, click the Navigation menu > View All Products ().
8. Select Security > Web Security Scanner.

If the Web Security Scanner API is enabled then the Cloud Web Security Scanner page displays the Scan configs details.

9. In the Cloud Web Security Scanner toolbar, click + New scan.

10. In the Name section, name the scan Cross-Site Scripting scan.

In the Starting URLs section, the Starting URLs 1 field should be pre-populated with your static IP address.

11. Add a colon and the port number 8080 at the end of the IP address. The Starting URL 1 should resemble the following:

http://<YOUR_EXTERNAL_IP>:8080

12. If present, delete Starting URL 2.
13. In the Excluded URLs section, verify that Authentication is set to None, and Schedule set to Never. Leave all other fields unchanged.
14. Click Save to create the scan.
15. Click Run Scan to start the scan.
16. Return to the SSH-in-browser window.

In the SSH-in-browser window, you should view logs being generated as Web Security Scanner tests all possible URLs for potential vulnerabilities.

17. When the scan is complete, return to the Google Cloud console.

Note: The scan might take 5-10 minutes to complete.

The Results tab should indicate the cross-site vulnerabilities, demonstrating how Web Security Scanner can detect a XSS vulnerability.

The vulnerabilities can also be found in the Vulnerabilities tab under the Security Command Centre.

Click Check my progress to verify that you have completed this task correctly.

Scan the application

Task 5. Remediate the vulnerabilities

In this task, you'll remediate the application's XSS vulnerability and re-run the application with the new fix.

The recommendation for fixing the current vulnerabilities is to validate and escape untrusted user-supplied data, which also points to the corresponding OWASP^® rules.

You will do this by editing the code of the vulnerable application to include lines of code that validate and escape the user-supplied data.

1. Return to the SSH-in-browser page connected to your VM instance.
2. Press CTRL + C to stop the running application. Alternatively, you can click the Send key combination icon on the top right corner of the SSH-in-browser window to input the CTRL + C key combination.

Now, edit the app.py file using the nano editor.

3. Copy the following command into the SSH-in-browser page:

nano app.py

This command opens the nano code editor.

4. Press ENTER.

5. To fix the XSS vulnerability, you validate the output string variable. The output string is the processed output of the user-supplied web form input.

Ensure that the application does not accept user input as HTML code, instead, it will escape special characters supplied by user input. To do this, locate the two lines that set the output string:

# output_string = "".join([html_escape_table.get(c, c) for c in input_string]) output_string = input_string

6. Remove the # symbol from the first line, and add it to the beginning of the next line (ensure that you indent your code properly.) The final lines must resemble the following:

@app.route('/output') def output(): output_string = "".join([html_escape_table.get(c, c) for c in input_string]) # output_string = input_string return flask.render_template("output.html", output=output_string)

7. Press CTRL + X to exit nano, then Y to save your changes, and then ENTER to save your changes.
8. Copy the following command into the SSH-in-browser terminal:

python3 app.py

This command re-runs the application.

9. Press ENTER.

Click Check my progress to verify that you have completed this task correctly.

Remediate the vulnerabilities

Task 6. Re-scan the web application

In this task, you’ll re-scan the application to make sure there are no vulnerabilities.

1. Return to the Cloud Web Security Scanner page in the Google Cloud console.
2. Click Run to re-run the scan.

Note: The scan might take 5-10 minutes to complete.

The Results tab should now indicate that there are no vulnerabilities found.

Click Check my progress to verify that you have completed this task correctly. Be sure you wait until the scan completes to get credit for completing this task.

Re-scan the web application

Conclusion

Great work!

Through this lab, you gained practical experience in scanning for application vulnerabilities. You learned the importance of a security analyst's ability to scan for application vulnerabilities, which is essential for helping identify and address potential weaknesses, managing risks, meeting compliance requirements, and ultimately, maintaining a robust security posture to protect an organization’s assets and reputation.

By closing security gaps and addressing weaknesses, you can help prevent potential exploitation, minimize the impact of security incidents, and maintain compliance with industry regulations.

In this lab, you completed one of the fundamental aspects of proactive cybersecurity strategies.

End your lab

Before you end the lab, make sure you’re satisfied that you’ve completed all the tasks. When you're ready, click End Lab and then click Submit.

Ending the lab will remove your access to the lab environment, and you won’t be able to access the work you've completed in it again.

Copyright 2022 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.